{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,21]],"date-time":"2025-12-21T06:25:04Z","timestamp":1766298304434,"version":"3.41.0"},"reference-count":54,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2025,2,22]],"date-time":"2025-02-22T00:00:00Z","timestamp":1740182400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2025,5,31]]},"abstract":"<jats:p>\n            The number of login options on websites has increased since the introduction of web single sign-on (SSO) protocols. Web SSO services allow users to grant websites or\n            <jats:italic>relying parties<\/jats:italic>\n            (RPs) access to their personal profile information from\n            <jats:italic>identity provider<\/jats:italic>\n            (IdP) accounts. Many RP sites fail to provide sufficient privacy-related information to allow users to make informed login decisions. Moreover, privacy differences in permission requests across login options are largely hidden from users and are time-consuming to manually extract and compare. In this article, we present an empirical analysis of popular RP implementations supporting three major IdP login options (Facebook, Google, and Apple) and categorize RPs in the top 500 sites into four client-side code patterns. Informed by these RP patterns, we design and implement SSOPrivateEye (SPEye), a browser extension prototype that extracts and displays to users permission request information from SSO login options in RPs covering the three IdPs.\n          <\/jats:p>","DOI":"10.1145\/3711898","type":"journal-article","created":{"date-parts":[[2025,1,9]],"date-time":"2025-01-09T11:40:36Z","timestamp":1736422836000},"page":"1-28","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":2,"title":["\u201cSign in with ...\n            <i>Privacy<\/i>\n            \u201d: Timely Disclosure of Privacy Differences among Web SSO Login Options"],"prefix":"10.1145","volume":"28","author":[{"ORCID":"https:\/\/orcid.org\/0009-0005-2218-1935","authenticated-orcid":false,"given":"Srivathsan G.","family":"Morkonda","sequence":"first","affiliation":[{"name":"School of Computer Science, Carleton University, Ottawa, Canada"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7314-2198","authenticated-orcid":false,"given":"S.","family":"Chiasson","sequence":"additional","affiliation":[{"name":"School of Computer Science, Carleton University, Ottawa, Canada"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5038-5370","authenticated-orcid":false,"given":"P. C.","family":"van Oorschot","sequence":"additional","affiliation":[{"name":"School of Computer Science, Carleton University, Ottawa, Canada"}]}],"member":"320","published-online":{"date-parts":[[2025,2,22]]},"reference":[{"issue":"5","key":"e_1_3_3_2_2","first-page":"112:1\u2013112:34","article-title":"Comparative analysis and framework evaluating web single sign-on systems","volume":"53","author":"Alaca Furkan","year":"2020","unstructured":"Furkan Alaca and Paul C. van Oorschot. 2020. Comparative analysis and framework evaluating web single sign-on systems. ACM Comput. Surv. 53, 5 (2020), 112:1\u2013112:34.","journal-title":"ACM Comput. Surv."},{"key":"e_1_3_3_3_2","article-title":"Sign in with Apple","year":"2021","unstructured":"Apple. 2021. Sign in with Apple. Retrieved January 2021 from https:\/\/developer.apple.com\/documentation\/sign_in_with_apple. (2021).","journal-title":"https:\/\/developer.apple.com\/documentation\/sign_in_with_apple"},{"key":"e_1_3_3_4_2","article-title":"App Privacy Details on the App Store","year":"2022","unstructured":"Apple. 2022. App Privacy Details on the App Store. Retrieved June 2022 from https:\/\/developer.apple.com\/app-store\/app-privacy-details\/. (2022).","journal-title":"https:\/\/developer.apple.com\/app-store\/app-privacy-details\/"},{"key":"e_1_3_3_5_2","article-title":"What is Hide My Email?","year":"2022","unstructured":"Apple. Nov 2022. What is Hide My Email? Retrieved November 2022 from https:\/\/support.apple.com\/en-us\/HT210425. (Nov 2022).","journal-title":"R"},{"key":"e_1_3_3_6_2","volume-title":"NDSS","author":"Bai Guangdong","year":"2013","unstructured":"Guangdong Bai, Jike Lei, Guozhu Meng, Sai Sathyanarayan Venkatraman, Prateek Saxena, Jun Sun, Yang Liu, and Jin Song Dong. 2013. AuthScan: Automatic extraction of web authentication protocols from implementations. In NDSS."},{"key":"e_1_3_3_7_2","volume-title":"USENIX Security","author":"Balash David G.","year":"2022","unstructured":"David G. Balash, Xiaoyuan Wu, Miles Grant, Irwin Reyes, and Adam J. Aviv. 2022. Security and privacy perceptions of third-party application access for Google accounts. In USENIX Security."},{"key":"e_1_3_3_8_2","volume-title":"WEIS (WEIS\u201907)","author":"B\u00f6hme Rainer","year":"2007","unstructured":"Rainer B\u00f6hme and Sven Koble. 2007. On the viability of privacy-enhancing technologies in a self-regulated business-to-consumer market: Will privacy remain a luxury good?. In WEIS (WEIS\u201907)."},{"key":"e_1_3_3_9_2","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660323"},{"key":"e_1_3_3_10_2","doi-asserted-by":"publisher","DOI":"10.1145\/3581764"},{"key":"e_1_3_3_11_2","unstructured":"Stephanie Curran. Feb 2023. Developer Platform will Now Require Business Verification for Advanced Access. Retrieved April 2023 from https:\/\/developers.facebook.com\/blog\/post\/2023\/02\/01\/developer-platform-requiring-business-verification-for-advanced-access\/. (Feb 2023)."},{"key":"e_1_3_3_12_2","volume-title":"HotPETs","author":"Dey Arkajit","year":"2010","unstructured":"Arkajit Dey and Stephen Weis. 2010. PseudoID: Enhancing privacy in federated login. In HotPETs."},{"key":"e_1_3_3_13_2","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417869"},{"key":"e_1_3_3_14_2","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978313"},{"key":"e_1_3_3_15_2","unstructured":"Facebook. 2022. Permissions Reference. Retrieved June 2022 from https:\/\/developers.facebook.com\/docs\/facebook-login\/guides\/permissions\/. (2022)."},{"key":"e_1_3_3_16_2","volume-title":"ACM CCS","author":"Fett Daniel","year":"2015","unstructured":"Daniel Fett, Ralf K\u00fcsters, and Guido Schmitz. 2015. SPRESSO: A secure, privacy-respecting single sign-on system for the web. In ACM CCS."},{"key":"e_1_3_3_17_2","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978385"},{"key":"e_1_3_3_18_2","volume-title":"USENIX Security","author":"Ghasemisharif Mohammad","year":"2018","unstructured":"Mohammad Ghasemisharif, Amrutha Ramesh, Stephen Checkoway, Chris Kanich, and Jason Polakis. 2018. O single sign-off, where art thou? An empirical analysis of single sign-on account hijacking and session management on the web. In USENIX Security."},{"key":"e_1_3_3_19_2","article-title":"Google Sign-In JavaScript Client Reference","year":"2022","unstructured":"Google. 2022. Google Sign-In JavaScript Client Reference. Retrieved June 2022 from https:\/\/developers.google.com\/identity\/sign-in\/web\/reference. (2022).","journal-title":"https:\/\/developers.google.com\/identity\/sign-in\/web\/reference"},{"key":"e_1_3_3_20_2","doi-asserted-by":"publisher","unstructured":"Hana Habib Megan Li Ellie Young and Lorrie Faith Cranor. 2022. \u201cOkay whatever\u201d: An evaluation of cookie consent interfaces. In CHI (CHI\u201922). ACM New York NY USA Article 621 27 pages. DOI:DOI:10.1145\/3491102.3501985","DOI":"10.1145\/3491102.3501985"},{"key":"e_1_3_3_21_2","doi-asserted-by":"publisher","unstructured":"Hana Habib Sarah Pearman Jiamin Wang Yixin Zou Alessandro Acquisti Lorrie Faith Cranor Norman Sadeh and Florian Schaub. 2020. \u201cIt\u2019s a scavenger hunt\u201d: Usability of websites\u2019 opt-out and data deletion choices. In CHI (CHI\u201920). ACM New York NY USA 1\u201312. DOI:DOI:10.1145\/3313831.3376511","DOI":"10.1145\/3313831.3376511"},{"key":"e_1_3_3_22_2","volume-title":"AsiaCCS","author":"Hammann Sven","year":"2020","unstructured":"Sven Hammann, Ralf Sasse, and David Basin. 2020. Privacy-preserving OpenID connect. In AsiaCCS."},{"key":"e_1_3_3_23_2","volume-title":"CHI","author":"Harbach Marian","year":"2014","unstructured":"Marian Harbach, Markus Hettig, Susanne Weber, and Matthew Smith. 2014. Using personal examples to improve risk communication for security and privacy decisions. In CHI."},{"key":"e_1_3_3_24_2","article-title":"RFC 6749: The OAuth 2.0 Authorization Framework","author":"Hardt Dick","year":"2012","unstructured":"Dick Hardt. 2012. RFC 6749: The OAuth 2.0 Authorization Framework. Retrieved August 2024 from https:\/\/tools.ietf.org\/html\/rfc6749. (2012).","journal-title":"https:\/\/tools.ietf.org\/html\/rfc6749"},{"key":"e_1_3_3_25_2","doi-asserted-by":"crossref","DOI":"10.1515\/popets-2016-0032","article-title":"The curious case of the PDF converter that likes mozart: Dissecting and mitigating the privacy risk of personal cloud apps","author":"Harkous Hamza","year":"2016","unstructured":"Hamza Harkous, Rameez Rahman, Bojan Karlas, and Karl Aberer. 2016. The curious case of the PDF converter that likes mozart: Dissecting and mitigating the privacy risk of personal cloud apps. InPoPETs .","journal-title":"PoPETs"},{"key":"e_1_3_3_26_2","volume-title":"IEEE EuroS&P","author":"Jannett Louis","year":"2024","unstructured":"Louis Jannett, Maximilian Westers, Tobias Wich, Christian Mainka, Andreas Mayer, and Vladislav Mladenov. 2024. SoK: SSO-monitor - The current state and future research directions in single sign-on security measurements. In IEEE EuroS&P. arXiv:2302.01024. Retrieved from https:\/\/arxiv.org\/abs\/2302.01024"},{"key":"e_1_3_3_27_2","article-title":"RFC 7519: JSON Web Token (JWT)","author":"Jones Michael B.","year":"2015","unstructured":"Michael B. Jones, John Bradley, and Nat Sakimura. 2015. RFC 7519: JSON Web Token (JWT). Retrieved August 2024 from https:\/\/tools.ietf.org\/html\/rfc7519. (2015).","journal-title":"https:\/\/tools.ietf.org\/html\/rfc7519"},{"key":"e_1_3_3_28_2","volume-title":"IFIP Networking","author":"J\u00e4rpehult Oscar","year":"2022","unstructured":"Oscar J\u00e4rpehult, Fredrik Josefsson \u00c5gren, Madeleine B\u00e4ckstr\u00f6m, Linn Hallonqvist, and Niklas Carlsson. 2022. A longitudinal characterization of the third-party authentication landscape. In IFIP Networking."},{"key":"e_1_3_3_29_2","volume-title":"CHI","author":"Kelley Patrick Gage","year":"2010","unstructured":"Patrick Gage Kelley, Lucian Cesca, Joanna Bresee, and Lorrie Faith Cranor. 2010. Standardizing privacy notices: An online study of the nutrition label approach. In CHI."},{"key":"e_1_3_3_30_2","volume-title":"CHI","author":"Kelley Patrick Gage","year":"2013","unstructured":"Patrick Gage Kelley, Lorrie Faith Cranor, and Norman Sadeh. 2013. Privacy as part of the app decision-making process. In CHI."},{"key":"e_1_3_3_31_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23386"},{"key":"e_1_3_3_32_2","volume-title":"SSR","author":"Li Wanpeng","year":"2019","unstructured":"Wanpeng Li, Chris J. Mitchell, and Thomas Chen. 2019. OAuthGuard: Protecting user security and privacy with OAuth 2.0 and OpenID connect. In SSR."},{"key":"e_1_3_3_33_2","volume-title":"IEEE EuroS&P","author":"Mainka Christian","year":"2017","unstructured":"Christian Mainka, Vladislav Mladenov, J\u00f6rg Schwenk, and Tobias Wich. 2017. SoK: Single sign-on security \u2013 an evaluation of OpenID connect. In IEEE EuroS&P."},{"key":"e_1_3_3_34_2","volume-title":"IEEE S& P","author":"Mayer Jonathan R.","year":"2012","unstructured":"Jonathan R. Mayer and John C. Mitchell. 2012. Third-party web tracking: Policy and technology. In IEEE S& P."},{"key":"e_1_3_3_35_2","volume-title":"WPES","author":"Morkonda Srivathsan G.","year":"2021","unstructured":"Srivathsan G. Morkonda, Sonia Chiasson, and Paul C. van Oorschot. 2021. Empirical analysis and privacy implications in OAuth-based single sign-on systems. In WPES."},{"key":"e_1_3_3_36_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103666"},{"key":"e_1_3_3_37_2","doi-asserted-by":"publisher","DOI":"10.1145\/3397884"},{"key":"e_1_3_3_38_2","article-title":"Cross-Site Request Forgery Prevention Cheat Sheet: Storing the CSRF Token Value in the DOM","year":"2022","unstructured":"OWASP. 2022. Cross-Site Request Forgery Prevention Cheat Sheet: Storing the CSRF Token Value in the DOM. Retrieved June 2022 from https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#storing-the-csrf-token-value-in-the-dom. (2022).","journal-title":"https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#storing-the-csrf-token-value-in-the-dom"},{"key":"e_1_3_3_39_2","article-title":"It\u2019s Time for OAuth 2.1","author":"Parecki Aaron","year":"2019","unstructured":"Aaron Parecki. December 12, 2019. It\u2019s Time for OAuth 2.1. Retrieved January 2021 from https:\/\/aaronparecki.com\/2019\/12\/12\/21\/its-time-for-oauth-2-dot-1. (December 12, 2019).","journal-title":"https:\/\/aaronparecki.com\/2019\/12\/12\/21\/its-time-for-oauth-2-dot-1"},{"key":"e_1_3_3_40_2","volume-title":"ASE (ASE\u201919)","author":"Rahat Tamjid Al","year":"2019","unstructured":"Tamjid Al Rahat, Yu Feng, and Yuan Tian. 2019. OAuthLint: An empirical study on OAuth bugs in android applications. In ASE (ASE\u201919)."},{"key":"e_1_3_3_41_2","volume-title":"ACM CCS","author":"Rahat Tamjid Al","year":"2022","unstructured":"Tamjid Al Rahat, Yu Feng, and Yuan Tian. 2022. Cerberus: Query-driven scalable security checking for OAuth service provider implementations. In ACM CCS."},{"key":"e_1_3_3_42_2","volume-title":"USENIX Security","author":"Reardon Joel","year":"2019","unstructured":"Joel Reardon, \u00c1lvaro Feal, Primal Wijesekera, Amit Elazari Bar On, Narseo Vallina-Rodriguez, and Serge Egelman. 2019. 50 ways to leak your data: An exploration of apps\u2019 circumvention of the android permissions system. In USENIX Security."},{"key":"e_1_3_3_43_2","doi-asserted-by":"publisher","DOI":"10.1145\/2660460.2660471"},{"key":"e_1_3_3_44_2","unstructured":"Nat Sakimura John Bradley Michael B. Jones Breno de Medeiros and Chuck Mortimore. 2014. OpenID Connect Core 1.0. Retrieved January 2021 from https:\/\/openid.net\/specs\/openid-connect-core-1_0.html. (2014)."},{"key":"e_1_3_3_45_2","article-title":"WebDriver","year":"2021","unstructured":"Selenium. 2021. WebDriver. Retrieved January 2021 from https:\/\/www.selenium.dev\/documentation\/en\/webdriver\/. (2021).","journal-title":"R"},{"key":"e_1_3_3_46_2","volume-title":"SOUPS","author":"Shehab Mohamed","year":"2011","unstructured":"Mohamed Shehab, Said Marouf, and Christopher Hudel. 2011. ROAuth: Recommendation based open authorization. In SOUPS."},{"key":"e_1_3_3_47_2","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382238"},{"key":"e_1_3_3_48_2","volume-title":"SOUPS","author":"Sun San-Tsai","year":"2011","unstructured":"San-Tsai Sun, Eric Pospisil, Ildar Muslukhov, Nuray Dindar, Kirstie Hawkey, and Konstantin Beznosov. 2011. What makes users refuse web single sign-on? An empirical investigation of OpenID. In SOUPS."},{"key":"e_1_3_3_49_2","doi-asserted-by":"publisher","unstructured":"Christine Utz Martin Degeling Sascha Fahl Florian Schaub and Thorsten Holz. 2019. (Un)informed consent: Studying GDPR consent notices in the field. In ACM CCS (CCS\u201919). ACM New York NY USA 973\u2013990. DOI:DOI:10.1145\/3319535.3354212","DOI":"10.1145\/3319535.3354212"},{"key":"e_1_3_3_50_2","volume-title":"USENIX Security","author":"Wang Rui","year":"2013","unstructured":"Rui Wang, Yuchen Zhou, Shuo Chen, Shaz Qadeer, David Evans, and Yuri Gurevich. 2013. Explicating SDKs: Uncovering assumptions underlying secure authentication and authorization. In USENIX Security."},{"key":"e_1_3_3_51_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.51"},{"key":"e_1_3_3_52_2","article-title":"List of OAuth Providers","year":"2022","unstructured":"Wikipedia. 2022. List of OAuth Providers. Retrieved June 2022 from https:\/\/en.wikipedia.org\/wiki\/List_of_OAuth_providers. (2022).","journal-title":"https:\/\/en.wikipedia.org\/wiki\/List_of_OAuth_providers"},{"key":"e_1_3_3_53_2","article-title":"MISO: Legacy-compatible privacy-preserving single sign-on using trusted execution environments","author":"Xu Rongwu","year":"2023","unstructured":"Rongwu Xu, Sen Yang, Fan Zhang, and Zhixuan Fang. 2023. MISO: Legacy-compatible privacy-preserving single sign-on using trusted execution environments. In IEEE EuroS&P .","journal-title":"IEEE EuroS&P"},{"key":"e_1_3_3_54_2","doi-asserted-by":"publisher","DOI":"10.1145\/2897845.2897874"},{"key":"e_1_3_3_55_2","volume-title":"USENIX Security","author":"Zhou Yuchen","year":"2014","unstructured":"Yuchen Zhou and David Evans. 2014. SSOScan: Automated testing of web applications for single sign-on vulnerabilities. In USENIX Security."}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3711898","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3711898","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T01:18:09Z","timestamp":1750295889000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3711898"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,2,22]]},"references-count":54,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2025,5,31]]}},"alternative-id":["10.1145\/3711898"],"URL":"https:\/\/doi.org\/10.1145\/3711898","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"type":"print","value":"2471-2566"},{"type":"electronic","value":"2471-2574"}],"subject":[],"published":{"date-parts":[[2025,2,22]]},"assertion":[{"value":"2023-08-17","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-12-18","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-02-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}